PAKISTANI STUDENT AND A WHITE HAT HACKER GET $20,000 BUG BOUNTY FROM GOOGLE FOR DISCOVERING A VULNERABILITY IN GMAIL’S VERIFICATION PROCESS THAT ALLOWED HIJACKING OF EMAIL ACCOUNTS.
It is a well-known fact that Google loves to give novice programmers, white hat hackers and security researchers an opportunity to prove their skills and capabilities by participating in Google’s Vulnerability Reward program.
Google invites researchers from all across the globe to find out flaws in its newest or existing applications, extensions, software and operating system that are available at Google Play, Chrome Web Store and/or iTunes. In return, the successful candidate is awarded prizes. The core objective of these programs is to make Google’s apps and systems more protected and secure.
However, it isn’t an easy feat to accomplish since to qualify for Google’s VRP, it was vital that the bug/vulnerability is identified in any of these categories mentioned below:
Cross-site request forgery,
Authentication or authorization flaws,
Server-side code execution bugs”
When the vulnerability is identified as a valid one, the hacker can expect to receive up to $20,000 by Google.
Ahmed Mehtab, a student from Pakistan and the CEO of Security Fuss, is the latest to win this prize money by Google. Mehtab discovered a flaw in Gmail’s authentication or verification methods.
If a user has more than one email address, Google lets the user link all of the addresses and also lets emails of the primary account be forwarded to secondary accounts.
Mehtab identified an inherent flaw in the verification bypass method adopted by Google for switching and linking email addresses, which leads to the hijacking of the email IDs. He discovered that the email addresses became vulnerable to hijacking when one of the following conditions occurs:
* When the SMTP of the recipient is offline
* The email has been deactivated by the recipient
* Recipient doesn’t exist or invalid email ID
* The recipient does exist but has blocked the sender.
Here is how hijacking can be conducted: the attacker tries to verify the ownership status of an email address by emailing Google. Google sends an email to that address for verification. The email address cannot receive the email and hence, Google’s mail is sent back to the actual sender and this time it contains the verification code. This verification code will be used by the hacker and the ownership to that particular address will be confirmed.